denial of service

As a security professional, I talk to a lot of people about common security attacks and countermeasures. I’m not always certain the people I’m talking to know what these things mean. I am almost certain they aren’t willing to ask.

I know it’s more complicated than it was when I took my Security+ exam a decade ago. The stakes are much higher now. The attacks I had to identify caused inconvenience, but someone conducting a successful smurf attack on your printer won’t get you in the headlines. Today’s attacks will.

Yesterday, half the Internet was broken. I knew something was wrong when I couldn’t get into Salesforce to check on a support ticket for my biggest customer. Another member of my team sent us a warning that a big DDoS attack was happening, and not to count on being able to issue very many quotes today. So what, exactly, is a DDoS attack and how do DDoS attacks work?

I suppose there’s another question to ask too: What can you do to avoid being part of the problem? We’ll save that for the end.

Yesterday must have been Webserver Wednesdsay, because two things happened. A new version of Apache was released, and a new tool for testing the vulnerability of webservers to denial of service (DoS) was released.

I got mail at work today. The subject:
David you have an e-card from Alex.

Well, about the only person I know who calls me David is my mom. And I don’t know anybody named Alex. And why would a guy be sending me an e-card? Not wanting to explore that possibility any further, I disregarded it.

Then I remembered reading about something like that somewhere, so I went back and looked at it.

Short story: A really sleazy e-card company is sending out e-mail containing nothing but an URL at friendgreetings.com, which sends down ActiveX controls and installs some spyware that, among other things, sends bogus cards to everyone in your Outlook address book. That’s where I got that e-card message from. I was in this guy’s address book, for whatever reason. (Turns out he’s the webmaster at work. Funny how the webmaster and the hostmaster can go for long periods of time and never meet, eh?)

Officially, this isn’t a virus or a worm because it’s a company doing this crap, rather than a bored loser who lives in his parents’ basement and you have to click on an EULA (which most people do blindly anyway) for it to activate. I fail to see the difference, but I guess I’m weird that way.

I originally wrote that the anti-virus makers didn’t consider this a worm, but Symantec seems to have relented. You can get a removal tool at Symantec’s site.

If you want to protect yourself pre-emptively, locate your hosts file (in C:\winnt\system32\drivers\etc on NT/2000/XP; I’m wanting to say it’s in C:\Windows\System on Win9x; on most Unix systems it’s in /etc, not that it matters since this not-a-worm runs on Windows) and add the following entry:

127.0.0.1 www.friendgreetings.com

More cleanly, you can ask your network admins really nicely if they can block friendgreetings.com at the firewall or DNS level.

If you have inadvertently unleashed this monster, first, close Outlook immediately. Normally, I’d advise getting right with everyone else before cleaning things up, but since there’s the risk of making things worse if you do it that way, clean house, then start apologizing.

If you want to be really safe, go into the control panel and remove anything that appears to have anything to do with friendgreetings.com. Next, I’d go to www.cognitronix.com and download Active Xcavator and remove anything having to do with friendgreetings.com. Next, I’d head over to LavaSoft and download Ad-Aware and let it shoot anything that moves.

Next, apologize profusely to the guy who runs your mail server (ours got clogged up for hours processing all the mail from not-our-friendgreetings.com) and to everyone in your address book. I can’t offer you any advice on the best way to do that. Except I’d use something other than Outlook to do it. Head over to TinyApps.org to find yourself a small freeware mail client. Assuming you’re not on an Exchange server, I’d suggest pulling the network plug before firing up Outlook again to get those e-mail addresses.

Meanwhile, it would do no good whatsoever if everyone who’s gotten one of these annoying e-cards (whether they opened it or not) opened a command prompt and typed ping -t www.friendgreetings.com and left it running indefinitely. No good whatsoever. It’s still a distributed denial of service attack if all of the participants participate voluntarily and independently. Right?

Aw, poow widdle awe-aye-ay-ay! Poow widdle bay-bee!
The RIAA, if you recall correctly, is endorsing legislation that would permit copyright terrorists holders to knock off or hack into computers they suspect are being used to violate copyright law. So I guess calling what they want “copyright terrorism” is apt. Read more

Sorry about the downtime today. I upgraded to Apache 1.3.26 to close a denial of service hole (since I never, ever write anything the least bit controversial–ahem–except on days that end in -ay) and then I neglected to restart it.
Welcome back to your normal, everyday life, Dave.

Incidentally, last week’s outage appears to have been due to a power failure. Steve DeLassus recognized it and e-mailed me in vain, but seeing as I’d sworn off e-mail for the week it didn’t do much good. I’m not overly concerned about it; my Linux servers’ uptime is measured in years as long as Ameren keeps the current flowing.